A security weakness in Android mobile operating system versions below 5.0 that puts potentially every Android device at risk for privilege escalation attacks, has been patched in Android 5.0 Lollipop.
The security vulnerability (CVE-2014-7911), discovered by a security researcher named Jann Horn, could allow any potential attacker to bypass the Address Space Layout Randomization (ASLR) defense and execute arbitrary code of their choice on a target device under certain circumstances. ASLR is a technique involved in protection from buffer overflow attacks.
The flaw resides in java.io.ObjectInputStream, which fails to check whether an Object that is being deserialized is actually a serializable object. The vulnerability was reported by the researcher to Google security team earlier this year.
A technical description of the bug has been provided by Jann Horn, the security researcher who discovered the flaw. He says that apps can communicate with system_service, which runs with admin privileges (UID 1000), using Intents with attached Bundles; these “are transferred as arraymap Parcels and arraymap Parcels can contain serialized data. This means that any app can attack the system_service this way,”
In order to explain the issue, the security researcher has provided technical details and also developed a proof-of-concept (PoC) that crashes system_service. Till now, a full exploit of the bug has not been created and also Horn is not entirely sure about how predictable the address layout of the system_server really is or how easy it is to write a large amount of data into system_server’s heap. However, in order to exploit this vulnerability on a vulnerable device, one need to get a malicious app onto the target device.
Android 5.0 Lollipop is the latest mobile operating system by Google, who describe Lollipop as “the largest Android release yet,” with more than 5,000 new APIs. But users of Lollipop are warning others not to immediately upgrade their mobile OS, after experiencing broken apps, repeated crashes, and device slowdowns.